SANS NewsBites
September 8, 2020 | Volume XXII - Issue #71
2020-09-04
North Carolina's Haywood County School District was the target of a ransomware attack in August. The district shut down its network and paused remote learning due to the attack. Remote learning has resumed as on August 31, but some services remain unavailable. The operators of the SunCrypt ransomware also stole files from the school district's systems.
2020-09-06
Networks at two UK universities were recently hit with ransomware attacks. The attack on Northumbria University forced the school to reschedule exams and to close its campus while they restored their IT systems. Newcastle University said that it was the target of a cyberattack and expected recovery to take several weeks.
The attack surface for any enterprise includes all of its users. For a university, that is likely to include many naive users making it especially vulnerable to infection. The plan should include network isolation to resist spread of compromise from students to faculty and administration. It should include provision for rapid recovery of essential applications.
2020-09-07
Chile's BancoEstado has shut down all branches after ransomware infected the bank's network. The malware reportedly gained a foothold in the system through a backdoor installed by a malicious Office document. BancoEstado, one of the three largest banks in Chile, disclosed the incident over the weekend.
2020-09-06
Argentina's immigration agency has been hit with Netwalker ransomware. The attack temporarily prevented border crossings into and from the country. The attack may be the first reported ransomware attack against a government agency that has had a significant operational impact.
Bleeping Computer: Netwalker ransomware hits Argentinian government, demands $4 million
2020-09-04
Researchers at Palo Alto Networks say that ransomware known as Thanos was used in attacks against systems at two state-run organizations in the Middle East and North Africa earlier this summer. The malware was configured to overwrite the master boot record. In these two cases, the overwrite did not work because of an error in the code.
2020-09-04
Facebook now has a vulnerability disclosure policy that lays out how the company will disclose security flaws it finds in third-party products. According to the policy, third-party companies will have 21 days to acknowledge Facebook's initial report and then 90 days to remediate the issue. If the company misses either one of the deadlines, Facebook may disclose the flaw publicly. Facebook also notes that if there are mitigating circumstances - a flaw that is being actively exploited, for example - the disclosure timeline may differ.
Looks like 3 months / 90 days is becoming the standard for vulnerability disclosures. This can be hard to meet for some complex bugs, but should be doable for most vulnerabilities.
Facebook has done a good job in recent years of essentially implementing an "App Store" to drive higher levels of security into third-party apps. Facebook has a managed bug bounty program that has some coverage of third-party apps in addition to Facebook's own software and sites. Third-party apps that access user data must undergo yearly pen testing and code review by qualified assessors. The "disinformation" problem on the content side of Facebook brings in an entirely different set of problems, but on the code security side Facebook seems to be doing the right things.
2020-09-04
WhatsApp has launched a dedicated security advisory page in an effort to be more transparent about flaws in its app. The page discloses six vulnerabilities in WhatsApp that have been patched this year.
Threatpost: WhatsApp Discloses 6 Bugs via Dedicated Security Site
WhatsApp: WhatsApp Security Advisories
2020-09-07
Visa's Payment Fraud Disruption (PFD) group has issued a warning about JavaScript skimming malware that has features to help it evade detection, including functionality that allows it to remove itself from memory. PFD first detected Baka in February 2020.
Organizations have let JavaScript sprawl and are now struggling to control it. You need to know what JavaScript is supposed to be running on your site and monitor and verify that nothing else is running. Use content security policy and sub-resource integrity to assist in preventing unauthorized JavaScript from running.
This massive vulnerability is the result of the brands' decision to continue to publish the Primary Account Number in the clear and of merchants to accept them. https://whmurray.blogspot.com/2019/08/recommendations-on-retail-payment.html
Visa: 'Baka' JavaScript Skimmer Identified (PDF)
Bleeping Computer: Visa warns of new Baka credit card JavaScript skimmer
Infosecurity Magazine: Visa: New Baka Skimmer Designed to Avoid Detection
Portswigger: Baka credit card skimmer bundles stealth, anti-detection capabilities, warns Visa
2020-09-04
Microsoft has confirmed that its browsers will no longer support Adobe Flash Player after December 31, 2020. As of January 1, 2021, Adobe Flash Player will be disabled by default and versions of Flash older than the June 2020 release will be blocked. Adobe will stop updating and distributing Flash at the end of the year.
There's not much time and lots to do. At this point, you should have an inventory of all the in-house Flash applications that you will have to convert to HTML5 in the next 3 months. If not, you will end up having to maintain special virtual machines like the ones you keep around for old IPMI admin interfaces that require out-of-date versions of Java.
The end of Flash support has been talked about since July 2017 when Adobe issued a December 31 EOL for Flash. In the "Internet Things That Went Away and No one Missed Them," Flash and the blinking URL tag are high on the list.
It is now more than a decade since Steve Jobs wrote his now famous Thoughts on Flash. More recently Bob Burroughs asserted that in addition to the problems Jobs noted in Thoughts, he was also concerned that Adobe would be a "less than reliable" partner in addressing security issues. While iOS users have managed well without Flash, it has taken the rest of the world a very long time to rid itself of this troublesome software. It is hard to believe that its value has exceeded the cost of its risk and continuing security maintenance. Jobs' decision has saved Apple customers much of that cost. He should be remembered for consistently putting quality and security ahead of generality, flexibility, and popularity. My hero.
And that might just be the best piece of news in all of 2020.
blogs.windows: Update on Adobe Flash Player End of Support
Adobe: Update for Enterprise Customers Using Adobe Flash Player
Bleeping Computer: Microsoft to finally kill Adobe Flash support by January 2021
2020-09-06
Systems at Israeli chipmaker Tower Semiconductor were hit with a cyberattack. The company has temporarily shut down some servers and some manufacturing operations.
2020-09-07
Some mobile phones provided to low-income users under the US government's Lifeline program are preloaded with malware. A device examined by a researcher at Malwarebytes was found to contain code that uploads aggressive adware that displays pop-up ads that cover the phone's screen, obstructing their use. The apps that upload the adware cannot be removed from the phone without rendering it unusable.
A classic supply chain security failure. The FCC says this is illegal, but it doesn't seem like the non-profit USAC that administers the Lifeline program for the FCC had a process in place to prevent this type of thing from happening. The program has issued a lot of waivers to make sure service was not interrupted to low-income users, so understandable if the desire to provide services trumped full privacy/security checking of devices but more transparency on that side of the process is needed.
A Blast From The Past: XXEncoded VB 6.0 Trojan
https://isc.sans.edu/forums/diary/A+blast+from+the+past+XXEncoded+VB60+Trojan/26538/
Office: About OLE and ZIP Files
https://isc.sans.edu/forums/diary/Office+About+OLE+and+ZIP+Files/26540/
Go XSS Vulnerability
https://seclists.org/fulldisclosure/2020/Sep/5
"Baka" JavaScript Skimmer (PDF)